nanog mailing list archives

Re: DDoS using port 0 and 53 (DNS)

From: Roland Dobbins <rdobbins () arbor net>
Date: Wed, 25 Jul 2012 11:05:48 +0700



Frank Bulk <frnkblk () iname com> wrote:

Unfortunately I don't have packet captures of any of the attacks, so I
can't exam them for more detail, but wondering if there was some
collective wisdom about blocking port 0.


Yes - don't do it, or you will break the Internet. These are non-initial fragments.

You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS 
responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your 
peers/upstreams to block these attacks when they occur. 

Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy 
customers and soon-to-be former customers. 

;>
-----------------------------------
Roland Dobbins <rdobbins () arbor net>

Current thread:

DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
  - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)

(Thread continues...)